Custom action with elevated privilege in MSIX

%3CLINGO-SUB%20id%3D%22lingo-sub-1748298%22%20slang%3D%22en-US%22%3ECustom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748298%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3ENow%20I'm%20able%20to%20translate%20MSI%20into%20MSIX%20(thanks%20to%20Advanced%20Installer%20Express%20edition)%20!%3C%2FP%3E%3CP%3EBut%20my%20actual%20MSI%20is%20executing%20a%20lot%20of%20Custom%20Actions%2C%20%3CSTRONG%3Eat%20installation%20time%20with%20elevated%20privilege%3C%2FSTRONG%3E%2C%20which%20are%20currently%20ignored%20by%20the%20corresponding%20translated%20MSIX.%3C%2FP%3E%3CP%3EIf%20I%20understand%20correctly%20I%20will%20have%20to%20use%20Power%20Shell%20scripts%20instead%2C%20but%20how%20%3F%3C%2FP%3E%3CP%3EIs%20it%20documented%20somewhere%20how%20to%20proceed%20with%20such%20Custom%20Actions%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERgds%3C%2FP%3E%3CP%3EJF%20BAUDE%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748343%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748343%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F814739%22%20target%3D%22_blank%22%3E%40JF_BAUDE%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20an%20MSIX%20package%20installation%20you%20cannot%20execute%20any%20code%2C%20the%20all%20known%20custom%20actions%20support%20from%20MSIs%20does%20not%20apply%20for%20MSIX%20packages.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20an%20app%20packaged%20with%20MSIX%2C%20you%20can%20execute%20one%20PS%20script%20%3CSTRONG%3Ewhen%20your%20application%20launches%3C%2FSTRONG%3E%20and%20one%20script%20%3CSTRONG%3Ewhen%20the%20application%20closes%3C%2FSTRONG%3E%2C%20leveraging%20the%20PS%20support%20from%20the%20Package%20Support%20Framework.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20note%20that%20these%20scripts%20get%20executed%20%3CSTRONG%3Eafter%3C%2FSTRONG%3E%20the%20MSIX%20has%20been%20installed%2C%20so%20you%20should%20not%20consider%20them%20the%20equivalent%20of%20MSI%20custom%20actions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20give%20us%20more%20details%20about%20what%20actions%20(customizations)%20are%20your%20custom%20actions%20performing%3F%20Maybe%20we%20can%20suggest%20a%20different%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBogdan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748431%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748431%22%20slang%3D%22en-US%22%3E%3CP%3EHIi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F814739%22%20target%3D%22_blank%22%3E%40JF_BAUDE%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.advancedinstaller.com%2Fuser-guide%2Fwin-store-app-declarations.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDeclarations%20view%3C%2FA%3E%20to%20define%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fuwp%2Fpackaging%2Fapp-capability-declarations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eapp%20declaration%3C%2FA%3E%20for%20your%20firewall.%20Please%20note%20that%20this%20can%20be%20done%20only%20for%20applications%20you%20install%20from%20within%20your%20package%2C%20i.e.%20you%20cannot%20make%20a%20firewall%20configuration%20for%20an%20EXE%20that%20is%20not%20part%20of%20your%20MSIX%20package.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20certificates%2C%20I%20am%20afraid%20I%20am%20not%20aware%20of%20any%20solution.%20I%20don't%20think%20MSIX%20packages%20are%20intended%20for%20this%20purpose.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20note%20that%20MSIX%20packages%20are%20designed%20with%20a%20per-user%20deployment%20model.%20Per-machine%20resource%20deployment%2C%20like%20certificates%2C%20drivers%2C%20etc...%20are%20not%20on%20the%20radar%20AFAIK.%3CBR%20%2F%3E%3CBR%20%2F%3EBogdan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748572%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748572%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F147865%22%20target%3D%22_blank%22%3E%40Bogdan%20Mitrache%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20I%20understand%20correctly%20I%20will%20have%20to%20use%20both%20of%20your%20proposals%3A%3C%2FP%3E%3CP%3E1)%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.advancedinstaller.com%2Fuser-guide%2Fwin-store-app-declarations.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDeclarations%20view%3C%2FA%3E%20to%20define%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fuwp%2Fpackaging%2Fapp-capability-declarations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eapp%20declaration%3C%2FA%3E%20for%20firewall%20settings%3C%2FP%3E%3CP%3E2)%20MSIX%20Custom%20Scripts%20(see%20latest%20%3CA%20title%3D%22Package%20Support%20Framework%22%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMSIX-PackageSupportFramework%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPackage%20Support%20Framework%3C%2FA%3E)%20for%20certificates%20settings%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20other%20way%20actually%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERgds%3C%2FP%3E%3CP%3EJF%20BAUDE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749160%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749160%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F814739%22%20target%3D%22_blank%22%3E%40JF_BAUDE%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETheoretically%2C%20yes%20you%20can%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.advancedinstaller.com%2Fforums%2Fviewtopic.php%3Ft%3D41018%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPS%20scripts%20to%20trigger%20an%20MSI%3C%2FA%3E%20and%20do%20whatever%20is%20not%20supported%20by%20an%20MSIX%20package.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20in%20this%20case%2C%20may%20I%20ask%3A%20What%20is%20the%20point%20of%20building%20an%20MSIX%20if%20the%20main%20functionality%20is%20still%20inside%20the%20MSI%3F%20Why%20don't%20you%20stick%20with%20the%20MSI%20delivery%20for%20such%20kind%20of%20packages%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou'are%20just%20adding%20one%20more%20layer%20of%20abstraction%20(by%20wrapping%20the%20MSI%20with%20an%20MSIX)%20that%20increases%20the%20complexity%20of%20your%20package%2C%20without%20no%20major%20obvious%20benefits.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EBogdan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748354%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748354%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Bogdan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20my%20C.A.%20are%20adding%20%22customer%22%20certificates%20like%20this%3A%3C%2FP%3E%3CP%3E...%3C%2FP%3E%3CP%3E%3CROW%3EInstallCertifCA3106SystemFoldercertutil.exe%20-addstore%20-f%20%22CA%22%20%22%5BINSTALLDIR%5Dcertificates%5CXXX_MyCertificate_CA.crt%220Installing%20Certificate%20CA%3C%2FROW%3E%3CBR%20%2F%3E....%3C%2FP%3E%3CP%3EBut%20also%20%22granting%22%20firewall%20access%20to%20our%20application%20such%3A%3C%2FP%3E%3CP%3E%3CROW%3EAddFirewall3106WindowsFoldernetsh%20firewall%20add%20allowedprogram%20%22%5BINSTALLDIR%5DMyApplication.exe%22%20%22MyApplication%22%20ENABLE0Setting%20firewall%3C%2FROW%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERgds%3C%2FP%3E%3CP%3EJF%20BAUDE%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749495%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749495%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20to%20insist%20but%20in%20the%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.advancedinstaller.com%2Fuser-guide%2Ftutorial-msix-custom-scripts.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.advancedinstaller.com%2Fuser-guide%2Ftutorial-msix-custom-scripts.html%3C%2FA%3E%26nbsp%3B%20nothing%20is%20said%20about%20elevated%20privilege%20(i.e.%20Admin%20right)%3C%2FP%3E%3CP%3EAm%20I%20missing%20something%20%3F%3C%2FP%3E%3CP%3ECan%20we%20launch%20PS%20with%20%3CSTRONG%3Eelevated%20privilege%3C%2FSTRONG%3E%20once%20at%20first%20execution%20of%20my%20App.exe%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERgds%3C%2FP%3E%3CP%3EJF%20BAUDE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1763990%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20action%20with%20elevated%20privilege%20in%20MSIX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1763990%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F814739%22%20target%3D%22_blank%22%3E%40JF_BAUDE%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20that%20I%20know%20of.%20Currently%2C%20there%20are%20no%20methods%20to%20trigger%20a%20script%20when%20you%20install%20or%20uninstall%20an%20MSIX%20package.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBogdan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all

Now I'm able to translate MSI into MSIX (thanks to Advanced Installer Express edition) !

But my actual MSI is executing a lot of Custom Actions, at installation time with elevated privilege, which are currently ignored by the corresponding translated MSIX.

If I understand correctly I will have to use Power Shell scripts instead, but how ?

Is it documented somewhere how to proceed with such Custom Actions ?

 

Rgds

JF BAUDE

 

11 Replies

Hi @JF_BAUDE,

 

During an MSIX package installation you cannot execute any code, the all known custom actions support from MSIs does not apply for MSIX packages.

 

For an app packaged with MSIX, you can execute one PS script when your application launches and one script when the application closes, leveraging the PS support from the Package Support Framework. 

 

Please note that these scripts get executed after the MSIX has been installed, so you should not consider them the equivalent of MSI custom actions.

 

Can you give us more details about what actions (customizations) are your custom actions performing? Maybe we can suggest a different solution.

 

Bogdan

Hi Bogdan

 

Most of my C.A. are adding "customer" certificates like this:

...

<row><td>InstallCertifCA</td><td>3106</td><td>SystemFolder</td><td>certutil.exe -addstore -f "CA" "[INSTALLDIR]certificates\XXX_MyCertificate_CA.crt"</td><td>0</td><td>Installing Certificate CA</td></row>
....

But also "granting" firewall access to our application such:

<row><td>AddFirewall</td><td>3106</td><td>WindowsFolder</td><td>netsh firewall add allowedprogram "[INSTALLDIR]MyApplication.exe" "MyApplication" ENABLE</td><td>0</td><td>Setting firewall</td></row>

 

Rgds

JF BAUDE

 

HIi @JF_BAUDE,

 

You can use the Declarations view to define an app declaration for your firewall. Please note that this can be done only for applications you install from within your package, i.e. you cannot make a firewall configuration for an EXE that is not part of your MSIX package.

 

For certificates, I am afraid I am not aware of any solution. I don't think MSIX packages are intended for this purpose.

 

Please note that MSIX packages are designed with a per-user deployment model. Per-machine resource deployment, like certificates, drivers, etc... are not on the radar AFAIK.

Bogdan

Hi @Bogdan Mitrache 

So if I understand correctly I will have to use both of your proposals:

1) the Declarations view to define an app declaration for firewall settings

2) MSIX Custom Scripts (see latest Package Support Framework) for certificates settings

 

No other way actually ?

 

Rgds

JF BAUDE

Hi @JF_BAUDE 

 

Theoretically, yes you can use the PS scripts to trigger an MSI and do whatever is not supported by an MSIX package.

 

But in this case, may I ask: What is the point of building an MSIX if the main functionality is still inside the MSI? Why don't you stick with the MSI delivery for such kind of packages?

 

You'are just adding one more layer of abstraction (by wrapping the MSI with an MSIX) that increases the complexity of your package, without no major obvious benefits.

 

Regards,

Bogdan

Hi again

 

Sorry to insist but in the post https://www.advancedinstaller.com/user-guide/tutorial-msix-custom-scripts.html  nothing is said about elevated privilege (i.e. Admin right)

Am I missing something ?

Can we launch PS with elevated privilege once at first execution of my App.exe ?

 

Rgds

JF BAUDE

Hi@Bogdan Mitrache 

 

About your question related to MSI vs MSIX, we aim to go to MSIX packging because, as claimed by Microsoft, we want to benefit of easier deployment and also faster update(s) at user level.

 

Rgds

JF BAUDE

Hi @JF_BAUDE,

 

The PS sample from the Advanced Installer forums runs the MSI as an admin, so it should be able to install your certificates. Have you tried it?

 

Bogdan

Hi@Bogdan Mitrache 

 

Yes I tried something similar but focused on certutil command (thru a PS script) in order to add the expected certificates

And it is working correctly !

 

Rgds

JF BAUDE

Hi Bogdan

 

BTW is it possible to do something similar at UN-installation time for a MSIX ?

 

Rgds

JF BAUDE

Hi @JF_BAUDE 

 

Not that I know of. Currently, there are no methods to trigger a script when you install or uninstall an MSIX package.

 

Bogdan